This paper addresses the challenge of detecting multi-vector attacks in Internet of Things (IoT) networks by leveraging Graph Attention Networks (GAT). A novel method is proposed for modeling IoT infrastructure as a weighted directed graph that captures not only the physical topology but also logical relationships and dynamic interactions between devices. Nodes represent heterogeneous IoT elements including end devices, routers, and gateways - while edges denote communication channels with assigned weights based on telemetry features. The method introduces a structured representation of telemetry in the form of feature vectors extracted from time-series data, enabling the detection of behavioral deviations at both node and network levels. Multi-vector attacks are formalized as transformations of the graph's structure and dynamics, allowing for the analysis of complex propagation chains involving devices, links, and control nodes. A GAT-based architecture is developed to process these representations, applying attention mechanisms to identify relevant contextual dependencies in the graph. The proposed detection pipeline consists of a telemetry converter, an interpreter for node classification, and a training module based on binary cross-entropy loss. Experimental validation was conducted using real-world datasets, covering a wide range of attack scenarios and device types. Comparative analysis with other graph-based methods (GCN, GraphSAGE, GAE) demonstrates the competitiveness of GAT in terms of accuracy, F1 score, and ROC-AUC - achieving a ROC-AUC of 0.955 while maintaining interpretability and scalability.
Internet of Things (IoT) devices are widely used in smart homes [
Approaches to detecting intrusions in IoT networks increasingly rely on deep learning. A promising direction is the use of graph neural networks (GNNs). Among them, graph attention networks (GAT) provide selective aggregation of information from neighboring nodes. This paper proposes a GAT-based model for detecting multi-vector attacks in IoT networks by combining graph representations with device telemetry. The method formalizes both physical and logical topologies to detect anomalies in nodes and interactions between devices using real IoT data with attack scenarios.
To develop an effective approach for detecting multivector attacks in IoT networks, existing research in this field has been analyzed.
In the article [
The article [
The article [
The article [40] discusses the problem of detecting network intrusions in Edge Computing environments, where traditional methods often prove ineffective due to the complexity and dynamism of network data. Although graph neural networks show potential in this area, most existing solutions are based on simplified graph construction methods that do not reflect the real behavioral relationships between nodes. This leads to overfitting, limited extraction of graph information, and reduced classification accuracy, especially in multi-class scenarios. To address these shortcomings, this paper proposes the BS-GAT method, a graph neural network with attention that takes into account the behavioral similarity between nodes. A new approach to graph construction is proposed, which integrates the weights of behavioral connections into the attention mechanism, allowing for more effective consideration of both structural and contextual information. The results of experiments on modern datasets confirm the effectiveness of the model: in binary classification, all key metrics exceed 99%, and in the multi-class case, the accuracy exceeds 93%, which indicates a significant advantage of the proposed approach over existing solutions. The study [41] addresses the issue of intrusion detection in Internet of Things (IoT) networks, where the high complexity and heterogeneity of the environment pose significant challenges for building effective protection systems. Although graph-based deep learning methods are already showing promise in the field of cybersecurity, most existing approaches form graphs based on physical connections, which does not always adequately reflect the relationships between nodes. This paper proposes a new concept, the Top-K Similarity Graph Framework (TKSGF), in which the graph is constructed based on the similarity of node attributes rather than physical connections. The GraphSAGE model is used to extract node representations, which allows for scalability. Study [42] investigates the problem of automatically detecting malicious outbound traffic from IoT devices. The authors tested several combinations of neural networks (CNN, LSTM, CNN-LSTM) on KDDCup99, NSL-KDD, UNSW-NB15, WSN-DS, and CICIoT2023 datasets. The CNN-LSTM configuration performed best — achieving up to 96% accuracy and 0.94 F1 score with low false positive rates. The authors note that combined spatial and temporal feature extraction ensures stability even in the presence of data imbalance, though highly resource-intensive models may be difficult to deploy in edge scenarios.
The authors of [43] proposed a fuzzy inference-based network traffic analysis system that uses only packet headers for classification (no payload). They defined nine linguistic variables and a set of if-then rules for TCP-SYN flood and other attacks. Results show high classification effectiveness: outperforming traditional binary fuzzy methods while reducing the load on network infrastructure. However, the solution has scalability limitations for complex attacks and requires enhancement of the rule knowledge base. In [44], the issue of network attack detection in cyber-physical systems is addressed using rule-based logical neural networks. The authors implemented an IDS solution that analyzes multivariate time series from sensors directly through a combination of logical rules and neural elements. The model is adapted to heterogeneous cyber-physical environments and showed higher classification accuracy compared to traditional statistical and rule-based approaches. In [45], a method for anomaly detection in IoT device traffic is proposed based on a modified Z-index, which does not require model training or labeled data. The approach builds a profile of normal device behavior, uses median and MAD for noise and outlier resistance, and applies exponential smoothing and cumulative deviation indices to detect both short- and long-term anomalies. The practical implementation with generated logs (4804 devices) showed up to 91% accuracy for interval-based anomalies, with an average F1 score ≈ 0.86. The method is attack-type independent, operates in real-time, and is suitable for resource-limited devices. A weak point remains its sensitivity to recurring patterns, which are difficult to detect without additional contextual analysis.
Present a system for detecting multi-vector attacks on an IoT network in the form of a graph that formalizes its topology, functional relationships, and the dynamics of interactions between devices. This approach will allow for the effective use of graph attention networks (GAT) for analyzing traffic structure, detecting anomalies, and modeling potential attack vectors. Figure 1 shows a general scheme of the mesh IoT network and attacks on the network.
Based on the presented mesh topology, the IoT network is described as a directed weighted graph: (1) where each component performs its function in the graph structure. The set of nodes is denoted as V, the set of edges as E.
For analytical modeling, the following additional components are added: • X ∈ R|V|×d – a matrix of node features, where is the number of descriptors or parameters describing each node • A∈ {0,1}|V|×|V| – a binary adjacency matrix indicating the presence or absence of a connection between nodes • W : E → R+ – a weight function on the edges that specifies the strength or priority of the connection between nodes
The set of nodes V in the graph model of the IoT network includes three categories of elements: end devices V ED, routers V R and critical network nodes V R. The V ED group includes sensors, actuators and other devices that generate or consume data – they are the most numerous and vulnerable to attacks. V R nodes are responsible for routing traffic between end devices and higher levels of the network, forming the main framework of the mesh structure. V C nodes, in particular C1, act as data concentration points or gateways connecting the local network with analysis and management systems. This structure allows you to model functional relationships and risk areas within the framework of detecting multi-vector attacks.
The nodes are divided into three functional groups: • V ED – end devices ed1 , ed2 , … , edn • V R – routers R1 , R2 , … , Rn • V C – controllers (control units / gateways) C1 Let's write the total set of nodes:
V =V ED∪ V R∪ V C
The set of edges E represents all possible connections between network nodes and reflects both the physical and logical topology of interactions. Each edge eij=(υi , υ j)∈ E reflects the transfer of information or control commands from node υi to node υ j To describe different directions of interaction in the IoT system, the set of edges is divided into two disjoint subsets - internal and external connections. Eint – internal connections between nodes within the IoT segment Eext – external logical connections from V C controllers to external systems, such as a control center or ML module. Physical edges within Eint can be implemented via wireless technologies such as ZigBee, BLE, LoRa or other low-power protocols. Eext edges, on the other hand, operate over IPoriented protocols (e.g., MQTT or HTTPS) and connect controllers to cloud infrastructure or higher-level systems. This separation allows us to separate local (network) interaction channels from channels leading to external objects, including interfaces to cloud systems, gateways, or control controllers. Formally, this is specified as follows:
E= Eint∪ Eext , Eint ∩ Eext= R
Thus, the set E includes both local routes that provide telemetry and command transmission, and global channels through which integration with the outside world is implemented.
The interaction between the nodes of the set V is implemented through directed edges of the set E, which form routes for transmitting data, commands, and control logic within the network and outside. The end devices V ED generate telemetry, which is transmitted to the routers V R through the edges: (2) (3) (4)
To display the logical connections of the IoT network with external information systems, a set of logical (non-physical) nodes is introduced:
V ext={υ1ext , υ2ext , … , υnext } (5) where υnext are nodes such as a ML engine for data processing, a security event control center (CHCC), a cloud storage, or a central telemetry collection server. They are not part of the physical topology of the IoT segment, but act as endpoints for logical communication channels. Thus, external edges are defined as:
(6)
That implement the transition from IoT protocols to IP-oriented technologies. In the reverse direction, control commands can flow through V C and V R to the actuators in V ED. Thus, the edges in the graph not only reflect physical or logical connections, but also determine the permissible paths for data circulation between network subsystems, taking into account the limitations of protocols, topology and security policies (Figure 2).
Within the graph model of the IoT network, each attack vector is considered as a transformation of the basic structure of the graph G that describes the current state of the system. In this graph, the node set V includes all devices in the network, the edge set E represents the directed links between them, the matrix X ∈ R|V|× F contains the numerical attributes of each node, the adjacency matrix A∈ R|V|×|V| reflects the presence of links, and the vector W ∈ RF (specifies the weights or importance of the edges (for example, bandwidth or channel reliability). Each attack vector α k is a targeted action that modifies one or more of these sets, leading to a new state of the network G , potentially unstable or vulnerable.
In IoT systems, attacks are almost never limited to a single vector of influence. Due to the complexity of the topology, the branched network structure, the presence of diverse device types, and the multi-level control model, security breaches often have a combined nature. Attackers employ multiple strategies – either simultaneously or sequentially – by targeting end devices, routers, communication channels, and control nodes. This defines the category of multi-vector attacks.
A multi-vector attack involves several directions of influence that reinforce each other. For instance, compromising a sensor may enable influence over a router, which in turn may provide access to the gateway. Such chained effects are extremely difficult to detect when events are analyzed in isolation. Therefore, an integrated model is required that can formalize both individual vectors of influence and their combinations. With in the proposed model, three fundamental types of attack vectors are distinguished: (7) (9) α multi=α ED+α c h+α ctrl
Where α ED denotes the compromise of an end device, α c h represents an attack on the data transmission channel, and α ctrl refers to interference with the operation of a controller or gateway. In this expression, each component corresponds to a specific functional domain of the IoT network. Collectively, they model a chain attack, which may begin, for example, with the compromise of an end device and culminate in the takeover of the system’s control logic.
A matrix representation was used to analyze impact scenarios. This approach made it possible to formalize the relationships between all network components and assess the intensity and direction of impact. It also made it possible to identify critical escalation paths.
M a=(m j) , mi , j∈ ΩED ,c h ,ctl i , j=1 … n (8) where M α is the mutual influence matrix within the IoT system.
Each element of this matrix, m_(i,j), reflects the presence and type of influence between component Fi and F j. If influence exists, it is defined by a type from a predefined set that includes the three main categories of attack vectors. Thus, the matrix not only captures the existence of interactions but also classifies them according to the source of the attack.
Ω=Ωed , Ωc h , Ωctrl
The Ω set represents three main categories of attack vectors within an IoT network. Ωed refers to compromises targeting end devices (sensor data tampering, data injection, malware installation). Ωc h refers to attacks on communication channels (packet interception, traffic redirection). Ωc h covers manipulations targeting control blocks or gateways. Each subset reflects a separate level of impact. This allows for the formalization of escalation scenarios at different levels of the IoT system.
Each subset covers typical attack operations at the corresponding level – from data interception to manipulation of control logic. To provide a more detailed view of the components, a block structure of the IoT system was introduced.
The matrix M IT describes the modular structure of the IoT system, where each logical subsystem Fi consists of a set of subcomponents Fi ,k, where i=0. . N IT. The number of such subsystems is defined by the parameter N IT, which represents the total number of functional blocks in the network. In turn, AIT , i denotes the set of compromised areas, formed as a union of all locally affected components that belong to the corresponding Fi. The resulting impact matrix can be expressed as:
M r=( mr ,1,1
⋮ mr ,1, NIT ,1 ⋯ ⋱ ⋯ mr ,1, N VP
⋮ mr , NIT , N VP
T ={T i|υi∈ V } T i={ti1 , ti2 , … , tiτ }, tik∈ Rd (10) (11) (12) where mr ,i , j is a numerical or logical estimate of the impact from the i-th element on the j-th object, N IT is the number of logical subsystems, and N VP is the number of vulnerable objects in the system.
This formalization reflects the structure of risks and allows building an automated analysis system that identifies nodes with the highest number of incoming and outgoing connections. It also assesses critical attack propagation paths and supports scenario testing for protection mechanisms. Representing a multi-vector attack as a graph allows us to move from an intuitive description to a formalized model. This model covers the structural and behavioral characteristics of an IoT network. Such formalization is a basic prerequisite for creating an effective mechanism for detecting and responding to complex compromise scenarios.
To link the formal topology with the actual dynamics of events in the network, we introduce the set T, which represents telemetry data describing the current parameter values of devices in the network over a given time period. This telemetry serves as the primary source of information for constructing feature vectors xi, evaluating node states, and identifying behavioral anomalies. We define the set T as follows: where each T i is a time series of measurements for node υi and has the following form: where τ is the number of time points, and d is the number of parameters (features) recorded by the device at each time step k; for example, RSSI, CPU load, latency, battery level, etc.
These time series reflect the behavior of devices in the network and form the foundation for constructing node feature vectors xi, analyzing network state, and detecting anomalies using statistical methods and the model. Since the set T contains dynamic elements, we do not use the entire series but only selected fragments within a fixed time interval [ t a , t b ], introducing a temporally localized subset of telemetry:
The description of the set of telemetry vectors T [ta,tb] provides information about the behavior of each node in the IoT network within the specified time interval. It allows for the assessment of both local and global changes in network state, detection of deviations in device parameters, and construction of a structured model G[ta,tb] used for anomaly detection. The feature vector xi summarizes the telemetry data of node υi∈ V over the interval [ t a , t b ], characterizing its functional state based on metrics tik. It serves as input to the GAT model used for analyzing and detecting anomalies.
xi=[ POWER LIMIT ]∈ R
RSSI LATENSY
CPU …
M (15) W ij={link metric if (υi , υ j)∈ E ) 0 , otherwise (14) (16) (17)
The content of the feature vector xi depends on the type of node and the set of available telemetry metrics. It may include parameters such as RSSI, latency, CPU usage, packet loss, power consumption, battery level, queue size, or other device state indicators. If needed, the feature set may also include latent characteristics obtained using an autoencoder or other dimensionality reduction techniques. The features are formed based on aggregated telemetry values over the time interval [ t a , t b ], for example, by calculating the mean, variance, maximum, or trend.
The structure of the graph G[ta,tb],, which represents the relationships between nodes of the IoT system within the specified time interval, is constructed by forming the edge set E⊆ V × V , where each edge ei , j=( υi , υ j ) denotes the presence of a data transmission channel or logical interaction between devices υi and υ j. Using the adjacency matrix Aij, we represent the structure of the graph required for computations in the GAT model, allowing us to define the connections between nodes and control the flow of information within the neural network.
Aij={
0 , otherwise
Aij=1 indicates that node υi transmits information and υ j receives it during neural network computations. To provide a more accurate description of node interactions, a weight matrix
W ∈ Rn×n is introduced, where the weight W ij represents the degree of influence from node υ_i to υ j:
The weight value is based on the characteristics of the data transmission channels and the behavioral parameters of the node.
For the generalized representation of node υi, obtained after passing through n layers of the GAT, we define the vector hi xij. It integrates the local behavior of the node (telemetry, features) and the structured context (interactions with neighboring nodes and their features). h(i n+1)=σ ( j∈∑N (i) a(ijn) W (n) h(n) j ) (18)
At each GAT layer, the new representation of node υi at level n+1 is computed as a nonlinear representation of the weighted sum of its neighbors’ features. Aggregation weights are determined using the attention mechanism, which dynamically defines the importance of each nodeυ j∈ N ( i ) in the context of υi. The evaluation mechanism is activated by a nonlinear function σ (ReLU або ELU), and a(ijn) defines the attention coefficient of nodeυ j with respect to υi.
The threshold value θ for anomaly decision-making can be either fixed or adaptive. In certain scenarios, it is appropriate to use statistical or quantile-based approaches that take into account the current distribution of scoring values in the network. This enables better adaptation to changing system conditions. The interpreter makes the anomaly decision for the representation of node υi according to the algorithm described below.
Require: Graph representation G=(V , E , X ) , GAT −generated node embeddings hi∈ Rd Ensure: Anomaly detection result yi∈ {0,1 } for each node υi∈ V 1: Begin 2: Input data preprocessing 3:Extract telemetry T [ta,tb] and compute embedding hi via trained GAT model 4: Score calculation 5: For each node υi∈ V , compute anomaly score: 6: si=hi , Ci 15: Output classification vector ⃗y =[ y1 , y1 , … , y1n] 16: End
The decision-making algorithm implements the classification rule for the behavior of network node υi, based on the feature vector hi generated after passing through the GAT block. A scoring function is used to produce a numerical value s_i that reflects the degree of deviation in the node's behavior in the context of its neighbors. The decision is made by comparing s_i with an adaptive or fixed threshold θi, calculated using statistical rules as θi= μs+ λ ∙ σ s. As a result, a classification label yi∈ {0,1 } is assigned, where 1 indicates an anomaly and 0 corresponds to a normal node state.
The GAT model is refined by adjusting its parameters based on the observed behavior of nodes in the IoT network. Training is performed iteratively as follows: at each step, the network receives input feature vectors xi and generates corresponding representations hi, which are then analyzed by the interpretation module. The obtained results are compared against expected labels or statistical references.
Require: Graph structure G=(V , E , X ), telemetry dataset T [ta,tb] initialized GAT model Ensure: Trained GAT model with optimized parameters W , aij 1: Begin 2: Preprocess telemetry data T [ta,tb] to generate node features X ={ x1 , x2 , … , xn } 3: Construct graph G=(V , E , X ) 4: Initialize GAT model parametersW and attention weights aij 5: for each e∈ {1 , … , E } do 6: for each node υi∈ do 7: Compute node embedding hi using GAT 8: Infer anomaly score or label yi 9: end for 10: Compute lossL(h,y) (binary cross-entropy) 11: Back propagate gradients and update W , aij 12: end for 13: Output: Trained GAT model 14: End
To optimize the model parameters, a binary cross-entropy loss function L(h,y) is used, which allows for an accurate assessment of the discrepancy between the predicted and expected anomaly values at each training step.
Figure 3 presents the proposed architecture of the GAT-based anomaly detection model for IoT networks. It is built upon the coordinated interaction of three core components: the converter, the interpreter, and the training module. Input data in the form of telemetry T [ta,tb] enters the system through a data collection pipeline. The converter generates a feature vector xi that reflects the functional state of the node within the specified time interval. The interpreter then constructs the representation hi using the attention mechanism, which takes into account both the node’s local features and the structure of its neighborhood in the graph. This representation is passed to the training module, which estimates the probability of anomalous behavior and optimizes the model using the loss function.
The simulation results demonstrate that combining the structural representation of the IoT network with telemetry interpretation via a GAT model enables the construction of a flexible mechanism for detecting complex, multi-vector attacks.
In the course of the experimental modeling, both publicly available and synthetically generated IoT datasets were utilized. Public datasets such as UNSW BoT-IoT were used at the initial stage for baseline evaluation, while a custom-generated dataset was employed to simulate ZigBee-based telemetry from low-power IoT devices. The synthetic data included frame-level attributes (e.g., RSSI, LQI, sequence number) and was created using a controlled Python-based simulation pipeline. The datasets cover a wide range of parameters including wireless signal characteristics, devicelevel metrics, behavioral anomalies, and logical communication patterns, and include labeled instances of various attacks such as DoS, spoofing, scanning, privilege escalation, and data poisoning.
For the purposes of this study, each dataset was preprocessed and transformed into a graphbased format, where nodes represent IoT devices and edges represent communication channels (physical or logical). Node attributes include both telemetry data and signature-based features, which serve as input to the graph neural network.
Figure 4 illustrates the sequential transformation of raw IoT telemetry into feature vectors suitable for processing by graph neural networks. The first block contains raw dataset values such as CPU, RAM, network traffic, protocol, and class labels.
The second block shows the normalized form of the feature vectors xi, corresponding to the first level of preprocessing: percentage values of CPU and RAM were converted to numerical form (from 0 to 1), and packet count values were scaled.
The third block illustrates the formation of hidden-space vectors hi, obtained through a linear transformation of the features xi (emulating the weighted aggregation mechanism in GAT). Each vector becomes part of the subsequent aggregation process within the device's subgraph.
This output represents the final result of the model’s forward pass on a single data batch, enabling the computation of the loss function and subsequent training.
Figure 5 shows a visualization of the transition from a time series of network traffic to the graph representation of IoT devices.
On the left, the time series of the feature pkt_count (packet count) for individual devices is shown; red dots indicate anomalous nodes. On the right, a constructed graph is presented, where each vertex corresponds to a device and edges reflect feature similarity in the hidden space. This transformation serves as the basis for further processing by the graph neural network.
Figure 6 illustrates the processing results of IoT devices within the graph neural network across multiple training epochs. Each row originally corresponded to a single network device at a specific point in time. The vectors h1 , h2 , h3 represent the hidden features of the node, formed based on its local neighborhood in the graph.
During the experimental modeling, the model’s classification performance was also evaluated based on the learned node representations hi. The model’s ability to correctly determine whether a node belongs to the "normal" or "anomalous" class within the graph structure was assessed. Standard classification metrics were used for this purpose: accuracy, recall, precision, F1-score, and ROC-AUC — the latter capturing model stability under varying decision thresholds.
A comparison of four graph-based models was performed, namely GCN, GraphSAGE, GAE, and the proposed GAT. The results of the performance comparison are presented in Table 1 and Figure 7.
The GCN model demonstrates an accuracy of 0.93 and an F1-score of 0.92, indicating its effectiveness in tasks with clearly defined classes. GraphSAGE shows only a slight decrease in accuracy while maintaining stable recall and precision values. GAE, being an autoencoder-based model, underperforms across all metrics but remains suitable for unsupervised learning.
GAT, although ranking second or third across most metrics, achieves the highest ROC-AUC value of 0.955. This highlights its strong ability to distinguish between normal and anomalous nodes under varying threshold conditions. These results suggest that GAT has substantial potential for analyzing long-term behavioral trends in network structures, despite some decline in local classification accuracy.
The proposed approach to detecting multi-vector attacks in IoT networks is based on the use of graph attention networks. This allows for the structural properties of the network and the behavioral characteristics of devices to be taken into account. Building a graph model using telemetry and structural connections, along with applying attention mechanisms for weighted aggregation of information, ensures high sensitivity to complex multi-vector attacks. Experimental results have shown that the GAT model is capable of effectively detecting attacks. A comparative analysis with other GNN-based models confirmed the competitiveness of GAT in anomaly detection tasks. In future work, the main focus will be on improving the accuracy of the model and the value of the F1-score.
AI tools were used solely as translation and proofreading aids. All content was originally authored by the submitting party. [2] S. S. I. Samuel, A review of connectivity challenges in IoT-smart home, in: 2016 3rd MEC International Conference on Big Data and Smart City (ICBDSC), IEEE, 2016. doi:10.1109/icbdsc.2016.7460395. [3] M. S. Farooq, S. Riaz, A. Abid, T. Umer, Y. B. Zikria, Role of IoT Technology in Agriculture: A
Systematic Literature Review, Electronics 9.2 (2020) 319. doi:10.3390/electronics9020319. [4] J. Xu, B. Gu, G. Tian, Review of agricultural IoT technology, Artif. Intell. Agric. 6 (2022) 10–22.
doi:10.1016/j.aiia.2022.01.001. [5] Y. Song, F. R. Yu, L. Zhou, X. Yang, Z. He, Applications of the Internet of Things (IoT) in Smart
Logistics: A Comprehensive Survey, IEEE Things J. (2020) 1. doi:10.1109/jiot.2020.3034385. [6] C. Caballero-Gil, J. Molina-Gil, P. Caballero-Gil, A. Quesada-Arencibia, IoT Application in the Supply Chain Logistics, in: Computer Aided Systems Theory - EUROCAST 2013, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 55–62. doi:10.1007/978-3-642-53862-9_8. [7] S. Selvaraj, S. Sundaravaradhan, Challenges and opportunities in IoT healthcare systems: a systematic review, SN Appl. Sci. 2.1 (2019). doi:10.1007/s42452-019-1925-y. [8] B. Farahani, F. Firouzi, K. Chakrabarty, Healthcare IoT, in: Intelligent Internet of Things,
Springer International Publishing, Cham, 2020, pp. 515–545. doi:10.1007/978-3-030-30367-9_11. [9] Z. Lv, B. Hu, H. Lv, Infrastructure Monitoring and Operation for Smart Cities Based on IoT
System, IEEE Trans. Ind. Inform. 16.3 (2020) 1957–1962. doi:10.1109/tii.2019.2913535. [10] R. Sharma, Evolution in Smart City Infrastructure with IOT Potential Applications, in: Intelligent Systems Reference Library, Springer International Publishing, Cham, 2018, pp. 153– 183. doi:10.1007/978-3-030-04203-5_8. [11] Koroliuk, R., Nykytyuk, V., Tymoshchuk, V., Soyka, V., Tymoshchuk, D. Automated monitoring of bee colony movement in the hive during winter season. CEUR Workshop Proceedings, 2024, 3842, pp. 147-156 [12] T. L. Narayana, C. Venkatesh, A. Kiran, C. B. J, A. Kumar, S. B. Khan, A. Almusharraf, T.
Quasim, Advances in real time smart monitoring of environmental parameters using IoT and sensors, Heliyon (2024) e28195. doi:10.1016/j.heliyon.2024.e28195. [13] Didych, I., Mykytyshyn, A., Stanko, A., Mytnyk, M. Application of machine learning methods to the prediction of NO2 concentration in the air environment. CEUR Workshop Proceedings, 2024, 3896, pp. 569–577 [14] D. Tymoshchuk, O. Yasniy, P. Maruschak, V. Iasnii, I. Didych, Loading frequency classification in shape memory alloys: A machine learning approach, Computers 13.12 (2024) 339. doi:10.3390/computers13120339. [15] Stukhliak, P., Totosko, O., Stukhlyak, D., Vynokurova, O., & Lytvynenko, I. (2024). Use of neural networks for modelling the mechanical characteristics of epoxy composites treated with electric spark water hammer. CEUR Workshop Proceedings, 3896, 405–418. [16] O. Yasniy, D. Tymoshchuk, I. Didych, V. Iasnii, I. Pasternak, Modelling the properties of shape memory alloys using machine learning methods, Procedia Struct. Integr. 68 (2025) 132–138. doi:10.1016/j.prostr.2025.06.033. [17] Stukhliak, P., Martsenyuk, V., Totosko, O., Stukhlyak, D., & Didych, I. (2024). The use of neural networks for modeling the thermophysical characteristics of epoxy composites treated with electric spark water hammer. CEUR Workshop Proceedings, 3742, 13–24. [18] O. Yasniy, P. Maruschak, A. Mykytyshyn, I. Didych, D. Tymoshchuk, Artificial intelligence as applied to classifying epoxy composites for aircraft, Aviation 29.1 (2025) 22–29. doi:10.3846/aviation.2025.23149. [19] O. Chukur, N. Pasyechko, A. Bob, A. Sverstiuk, Prediction of climacteric syndrome development in perimenopausal women with hypothyroidism, Menopausal Rev. (2022). doi:10.5114/pm.2022.123522. [20] S. O. Nykytyuk, A. S. Sverstiuk, D. S. Pyvovarchuk, S. I. Klymnyuk, A multifactorial model for predicting severe course and organ and systems damage in Lyme borreliosis in children, Mod.
Pediatr. Ukr. No. 2(130) (2023) 6–16. doi:10.15574/sp.2023.130.6. [40] Y. Wang, Z. Han, Y. Du, J. Li, X. He, BS-GAT: a network intrusion detection system based on graph neural network for edge computing, Cybersecurity 8.1 (2025). doi:10.1186/s42400-02400296-8. [41] T. Ngo, J. Yin, Y.-F. Ge, H. Wang, Optimizing IoT Intrusion Detection—A Graph Neural Network Approach with Attribute-Based Graph Construction, Information 16.6 (2025) 499. doi:10.3390/info16060499. [42] Klots Y., Petliak N., Martsenko S., Tymoshchuk V., Bondarenko I. Machine Learning system for detecting malicious traffic generated by IoT devices. CEUR Workshop Proceedings, 2024, 3742, pp. 97 – 110 [43] Petliak N., Klots Y., Titova V., Salem A.-B.M. Attack detection system based on network traffic analysis by means of fuzzy inference. CEUR Workshop Proceedings, 2024, 3899, pp. 201 – 213 [44] Titova, V., Klots, Y., Cheshun, V., Petliak, N., Salem, A.-B.M. Detection of network attacks in cyber-physical systems using a rule-based logical neural network. CEUR Workshop Proceedings, 2024, 3736, pp. 255–268 [45] Stetsiuk, M., Anikin, V., Pyrch, O., Kozelskiy, O., Salem, A.-B.M. Method of detecting anomalies in IOT device traffic based on statistical analysis using the modified z score. CEUR Workshop Proceedings, 2025, 3963, pp. 284–298